Unsupervised/unsupervised-scheduler
1
0
Fork 0
Code Issues Pull Requests Actions Packages Projects Releases Wiki Activity

Make WP admins instructors too, with an Access toggle page #29

Merged
thatguygriff merged 1 commits from feature/admin-access-control into main 2026-06-08 19:42:45 +00:00
Conversation 0 Commits 1 Files Changed 7
+279 -22
thatguygriff commented 2026-06-08 19:39:57 +00:00
Owner
Copy Link
Copy Source

Problem

A WordPress administrator inherited every studio-admin capability but not manage_availability (an instructor-only cap). For a single-instructor business where the owner runs the site as the admin, that meant no "My Availability" menu and no way to act as the instructor — the availability feature was unreachable from the only account they had.

What changed

  • Administrators are now instructors too. RoleManager extracts the instructor cap set into INSTRUCTOR_CAPS and grants it to administrators alongside the studio-admin caps, via the existing dynamic user_has_cap filter (nothing persisted; reverts on deactivation).
  • Both grants are now configurable. A new Access admin page (AccessSettings + templates/admin/access.php) exposes two toggles — "WordPress administrators are Studio Admins" and "are Instructors" — stored as us_admin_grant_studio / us_admin_grant_instructor, both default on so existing installs are unchanged.
  • Lockout-safe by design. The Access page is gated on the core manage_options capability — which the plugin never grants or revokes — so an administrator can always reach it to re-enable a grant. Disabling one can never lock them out.
  • AdminMenu registers the Access page right after Studio Settings (position 30.5), and the leading studio sidebar separator now shows for any administrator so the grouping stays intact even with both grants off.

Use cases

  • Single-instructor studio (default): the owner-as-admin manages availability, gets booked, and runs the business from one account.
  • Larger studio: turn the grants off so dedicated us_studio_admin / us_instructor accounts run the studio and administrators don't appear as studio staff.

Checks

composer test (185 tests, 532 assertions), composer lint (PHPStan L6 — no errors), composer cs (PHPCS) all green. New AccessSettingsTest; RoleManagerTest gains toggle coverage; docs/features/user-roles.md updated.

🤖 Generated with Claude Code

## Problem A WordPress administrator inherited every **studio-admin** capability but **not** `manage_availability` (an instructor-only cap). For a single-instructor business where the owner runs the site as the admin, that meant **no "My Availability" menu and no way to act as the instructor** — the availability feature was unreachable from the only account they had. ## What changed - **Administrators are now instructors too.** `RoleManager` extracts the instructor cap set into `INSTRUCTOR_CAPS` and grants it to administrators alongside the studio-admin caps, via the existing dynamic `user_has_cap` filter (nothing persisted; reverts on deactivation). - **Both grants are now configurable.** A new **Access** admin page (`AccessSettings` + `templates/admin/access.php`) exposes two toggles — "WordPress administrators are Studio Admins" and "are Instructors" — stored as `us_admin_grant_studio` / `us_admin_grant_instructor`, **both default on** so existing installs are unchanged. - **Lockout-safe by design.** The Access page is gated on the core `manage_options` capability — which the plugin never grants or revokes — so an administrator can always reach it to re-enable a grant. Disabling one can never lock them out. - **AdminMenu** registers the Access page right after Studio Settings (position `30.5`), and the leading studio sidebar separator now shows for any administrator so the grouping stays intact even with both grants off. ## Use cases - **Single-instructor studio** (default): the owner-as-admin manages availability, gets booked, and runs the business from one account. - **Larger studio**: turn the grants off so dedicated `us_studio_admin` / `us_instructor` accounts run the studio and administrators don't appear as studio staff. ## Checks `composer test` (185 tests, 532 assertions), `composer lint` (PHPStan L6 — no errors), `composer cs` (PHPCS) all green. New `AccessSettingsTest`; `RoleManagerTest` gains toggle coverage; `docs/features/user-roles.md` updated. 🤖 Generated with [Claude Code](https://claude.com/claude-code)
thatguygriff added 1 commit 2026-06-08 19:39:58 +00:00
Make WP admins instructors too, and add an Access toggle page
CI / No Debug Code (pull_request) Successful in 3s
Details
CI / Tests (PHP 8.2) (pull_request) Successful in 41s
Details
CI / Tests (PHP 8.3) (pull_request) Successful in 51s
Details
CI / Tests (PHP 8.1) (pull_request) Successful in 54s
Details
CI / Coding Standards (pull_request) Successful in 58s
Details
CI / PHPStan (pull_request) Successful in 1m9s
Details
CI / Build Plugin Zip (pull_request) Has been skipped
Details
67f8144a4a 
A WordPress administrator previously inherited the studio-admin
capabilities but not `manage_availability`, so the studio owner running
as an admin had no way to reach "My Availability" or act as the
instructor — breaking single-instructor businesses.

Grant the instructor capabilities to administrators as well (via the
existing `user_has_cap` filter), and make both grants — studio-admin and
instructor — independently toggleable from a new Access admin page.

- RoleManager: extract `INSTRUCTOR_CAPS`; apply studio and instructor
  cap sets to administrators, each gated on a stored toggle (default on).
- AccessSettings + templates/admin/access.php: two options
  (`us_admin_grant_studio` / `us_admin_grant_instructor`), gated on the
  core `manage_options` capability so disabling a grant can never lock an
  administrator out of re-enabling it.
- AdminMenu: register the Access page after Studio Settings; keep the
  studio sidebar separator visible for any administrator.
- Tests for the toggles and the new settings reader; docs updated.

Co-Authored-By: Claude Opus 4.8 <noreply@anthropic.com>
thatguygriff merged commit fdadd2fb92 into main 2026-06-08 19:42:45 +00:00
thatguygriff deleted branch feature/admin-access-control 2026-06-08 19:42:45 +00:00
Sign in to join this conversation.
Reviewers
No Reviewers
Labels
Clear labels
bug
Something isn't working
 enhancement
Extends an existing feature
 feature
New user-facing capability
 payments
Billing, Stripe, receipts, reporting
 security
Security vulnerability or hardening
No Label
Milestone
No items
No Milestone
Projects
Clear projects
No project
Assignees
Clear assignees
thatguygriff (James Griffin-Allwood)
No Assignees
1 Participants
Notifications
Due Date
No due date set.
Dependencies

No dependencies set.

Reference: Unsupervised/unsupervised-scheduler#29
Delete Branch "feature/admin-access-control"

Deleting a branch is permanent. Although the deleted branch may continue to exist for a short time before it actually gets removed, it CANNOT be undone in most cases. Continue?